Solved

Sonicwall UDP port forward

Posted on 2010-08-20
11
1,620 Views
Last Modified: 2012-05-10
Greeting,

I have a Sonicwall NSA240 in my network.

I need to open UDP port 21068 and to nat it to this IP address : 172.16.117.5.

I have successfully created my firewall/nat rules with the built-in firewall wizard. (Which I already used to create other firewall / nat rules that currently works.)

The packets doesn't pass my firewall ..

I installed nmap to see if the UDP port are opened on my server and my firewall.

This is my command : nmap -p 21068 -sU -P0 SERVER

I try this command from my local network and this is what I've got

nmap -p 21068 -sU -P0 172.16.117.5

Nmap scan report for 172.16.117.5
Host is up (0.00s latency).
PORT      STATE         SERVICE
21068/udp open|filtered unknown
MAC Address: 00:02:D9:09:01:94 (Reliable Controls)
Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds

I know that this port is open on the server.

I try the same command on my sonicwall

nmap -p 21068 -sU -P0 172.16.117.2

Nmap scan report for 172.16.117.2
Host is up (0.00s latency).
PORT      STATE         SERVICE
21068/udp open|filtered unknown
MAC Address: 00:17:C5:2C:5F:01 (SonicWALL)
Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds

It's supposed to be opened on my sonicwall as well...

I decided to try any other UDP scan port on the server to see if the nmap output was right. When the port isn't open it give me something like this :

PORT STATE SERVICE
34        Closed  unknown

I try the same thing on my Sonicwall but it always told me that the requested UDP port is open ?

I also try the nmap scan from the outside of my network.. it gives me the same output (all udp port seems to be open)

Does all my UDP ports are open in my sonicwall ?

Also, do you have any idea why I can't access my server on the port I opened ?
0
Comment
Question by:tblinc
  • 6
  • 5
11 Comments
 
LVL 33

Expert Comment

by:digitap
Comment Utility
I'd check the log with a connection attempt going to see what it hits.  On the NSA 240, you can setup a packet capture to see if it's getting through.  You might also consider disabling any of the security services for a testing period.  Additionally, check the LAN > WAN and WAN > LAN rules to confirm they're accurate.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
also, please post the logs back here so we can have a look at them.
0
 

Author Comment

by:tblinc
Comment Utility
I set up a VPN connexion instead. My VPN connection is able to built successfully but I can only ping my dns server and my sonicwall.

I can't ping anything else on my network.

I try to add a firewall rule

VPN -> LAN allow any  but it doesn't work
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
what does the lan to vpn rule look like?
0
 

Author Comment

by:tblinc
Comment Utility
Priority      Source                                           Destination                   Service  Action       Users  
1              WAN RemoteAccess Networks  Vpn DHCP Clients   Any          Allow       All                           
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:tblinc
Comment Utility
I saw this when I try to ping something in my network


log.jpg
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
Thanks for your patience.

You need to look at the LAN > VPN and VPN > LAN settings.  I don't get the feeling that we're getting there yet.  The best way is to go to Firewall > Access Rules.  Click the radio button called "Drop-down Boxes" and select the From Zone and To Zone.

Regarding the screen shot, IPS is only alerting of the ping.  Since you are not blocking Low alerts, it's only notifying not dropping.
0
 

Accepted Solution

by:
tblinc earned 0 total points
Comment Utility
I finally find what was my error.

I have a Client and server Antivirus software provided by my sonicwall. The computer in question doesn't have the antivirus installed. So all the traffic was reaching this computer but the computer itselft cannot send anything on the network.

I removed it from the scope and it finally works successfully.

Thank you for your help.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
So, the sonicwall was blocking it because it didn't have the AV client installed, right?
0
 

Author Comment

by:tblinc
Comment Utility
right
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
didn't think of that.  guess i didn't realize you were using the client AV as well as the gateway AV on the sonicwall.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now